Capturing Traffic with the Cisco ASA

I have written quite a few things lately about capturing traffic so why not write another?   This time we will be taking a look at capturing data from another key place in the network; the firewall.0

The Cisco ASA firewall has functionality built in that allows the capturing of traffic to onboard buffer.  The contents of that buffer can then be viewed or downloaded as a typical PCAP file.  Let’s dive right into some examples!


I suggest capturing only with an access list applied to limit the size of the capture buffer as well as to limit the amount of stuff you will have to wade through when reviewing the capture.  To get stated simply create an access list.  I will be using a simple two line list like this to watch the action between my system and the internet on the HTTP port 80.

asa-host(config)# access-list CAP extended permit tcp host 192.168.1.100 gt 1024 any eq www
 
asa-host(config)# access-list CAP extended permit tcp any eq www host 192.168.1.100 gt 1024

Next, we want to put the capture to work.  The minimum syntax is something like this:

asa-host#capture <capture name>  interface

That will capture everything seen on that interface.  Like I said, I like throwing a filter on it like this:

asa-host# capture TEST interface inside access-list CAPTURE circular-buffer

This will capture only traffic seen on the inside interface that matches the CAPTURE access list.  The information is the buffered in a circular buffer meaning that the oldest captured data is pushed out to make room for new once the buffer reaches its size limit.

To view the capture you can do a few different things… First, connect to the asa-host# with your web browser like this:

https://<ASA IP Address>/admin/capture/<capturename>

This prints results:

43 packets captured
 
1: 14:58:04.958065 192.168.1.100.43253 > 74.125.131.105.80: S 2621750554:2621750554(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 14:58:04.958385 192.168.1.100.43254 > 74.125.131.105.80: S 3748621921:3748621921(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
3: 14:58:05.000030 74.125.131.105.80 > 192.168.1.100.43254: S 217068245:217068245(0) ack 3748621922 win 14300 <mss 1380,nop,nop,sackOK,nop,wscale 6>
4: 14:58:05.000350 192.168.1.100.43254 > 74.125.131.105.80: . ack 217068246 win 16560
5: 14:58:05.001007 74.125.131.105.80 > 192.168.1.100.43253: S 1683140320:1683140320(0) ack 2621750555 win 14300 <mss 1380,nop,nop,sackOK,nop,wscale 6>
6: 14:58:05.001251 192.168.1.100.43253 > 74.125.131.105.80: . ack 1683140321 win 16560
7: 14:58:05.001754 192.168.1.100.43253 > 74.125.131.105.80: P 2621750555:2621751089(534) ack 1683140321 win 16560
8: 14:58:05.044980 74.125.131.105.80 > 192.168.1.100.43253: . ack 2621751089 win 241
9: 14:58:05.084620 74.125.131.105.80 > 192.168.1.100.43253: . 1683140321:1683141701(1380) ack 2621751089 win 241
10: 14:58:05.085307 74.125.131.105.80 > 192.168.1.100.43253: . 1683141701:1683143081(1380) ack 2621751089 win 241

 
This works well for quick viewing but what about a more detailed anylysis with something like Wireshark?  Browse to:

https://<ASA IP address>/admin/capture/<capture name>/PCAP

This will prompt you to save or open a file.  Save with the “.pcap” extension and open with Wireshark.

When you are done capturing you can (and should!) stop the capture with the negated “no” command:

asa-host#no capture <capture name>

Be sure to check out the help with this command with the “?” command.  There are plenty of fine tunning options to accomadate your capturing needs.
 

asa-host#5510# capture ?
WORD < 245 char  Capture name
 
asa-host#5510# capture TEST ?
access-list      Capture packets that match access-list
buffer           Configure size of capture buffer, default is 512 KB
circular-buffer  Overwrite buffer from beginning when full, default is
non-circular
ethernet-type    Capture Ethernet packets of a particular type, default is IP
headers-only     Capture only L2, L3 and L4 headers of packet without data in them
interface        Capture packets on a specific interface
match            Capture packets matching five-tuple
packet-length    Configure maximum length to save from each packet, default
is 1518 bytes
real-time        Display captured packets in real-time. Warning: using this
                 option with a slow console connection may result in an
                 excessive amount of non-displayed packets due to performance
                 limitations.
trace            Trace the captured packets
type             Capture packets based on a particular type

I hope someone found this useful!

This entry was posted in Networking, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *